The present invention relates to methods for defining network access control rules. A network access control rule may be used by a data processing system to filter packets sent to and received from an endpoint. For example, a firewall hosted on a network component may have one or more network access control rules that it uses to filter packets sent to or received from one or more data processing systems behind the firewall. As another example, a hypervisor may have one or more network access control rules that it uses to filter packets sent to or received from one or more logical or “virtual” machines under the hypervisor's control.
One or more network control rules often are defined for each individual endpoint. However, as more endpoints such as data processing systems and virtual machines are added to networks, data centers and cloud computing systems, more network access rules are required to filter packets sent to and received from these endpoints. Some systems may have hundreds or even thousands of endpoints. Accordingly, scalability becomes an issue as the cost of administration and management of network access control rules increases.
These issues may arise both in the context of a plurality of physical data processing systems behind a network control system such as a firewall, as well as in the context of a plurality of virtual machines. For example, one or more virtual machines may be hosted on a data processing system and may share the data processing system's resources. A hypervisor may control and/or manage these virtual machines. An administrator that wishes to impose a general policy that is applicable to each virtual machine may be required to define a separate network access control rule for each virtual machine. For example, an administrator may wish to define a separate rule for dropping egress packets from each virtual machine where the egress packets have source MAC addresses that does not match the virtual machine's MAC address (e.g., to prevent MAC address spoofing).